Locking down Safari/Firefox Extensions

discounteggroll
New Contributor III

Hi, I have been able to blacklist/whitelist google chrome extensions, but have not been able to figure out a way to do the same for Firefox/Safari. Has anyone been able to find a way to do this successfully?

10 REPLIES 10

bentoms
Release Candidate Programs Tester

@discounteggroll For Firefox, i'd look at CCK, might be something there.

For Safari, I'm not sure what the options are. Maybe something can be set for Safari via a config profile? With Safari 9, Apple started to lock things down in regards to extensions, & erm... I might be a little to blame.. so, sorry about that!

Buscher
New Contributor II

It would be great if the JSS added an easy way to block or allow extensions on Popular Browsers. Seems like it would be easy code to write for the smart people at Jamf and then for us not so smart admins out in the world we could do a better job keeping student computers clean.

RitBit
New Contributor

For FireFox you can easily set profiles: https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment
Same as with chrome: https://www.chromium.org/administrators/policy-list-3#ExtensionInstallBlacklist https://www.chromium.org/administrators/configuring-other-preferences

Safari is very limited on this: see https://www.jamf.com/jamf-nation/discussions/15324/disabling-safari-extensions
It's possible to block certain extensions by dropping them into /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

jorge_
New Contributor III

Do you have a better link for this? seems like navigating to this one takes me to a page that is no longer active:
https://support.mozilla.org/en-US/kb/block-add-ons-firefox-enterprise

i was able to blacklist all chrome extensions, and whitelist a selected few, still attempting to figure out firefox.

s_hass
New Contributor II

You can create a new configuration profile.
Therefore you have to upload a plist file at "Application & Custom Settings"
Here is an example plist:

Preference Domain: org.mozilla.org

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>EnterprisePoliciesEnabled</key> <true/> <key>ExtensionSettings</key> <dict> <key>*</key> <dict> <key>installation_mode</key> <string>blocked</string> </dict> key>uBlock0@raymondhill.net</key <dict> <key>installation_mode</key> <string>allowed</string> <key>install_url</key> <string>https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi</string> </dict> key>@contain-facebook</key <dict> <key>installation_mode</key> <string>allowed</string> <key>install_url</key> <string>https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi</string> </dict> </dict> </dict> </plist>

This plist will blacklist every firefox extension and whitelist specific ones.

In this case the addons uBlock origin and Facebook Container are allowed.
You can also force the installation of plugins if you want by using installation mode "force_installed" instead of "allow".

More information about the parameters you can find here:
https://github.com/mozilla/policy-templates#extensions

This addon can help to figure out the extension ID:
https://github.com/mkaply/queryamoid/releases/tag/v0.1

Tim_Apple
New Contributor III

I can't get this to work. I created a new configuration profile and pasted your code in die Application & Custom Settings as Property List. But it doesn't work. Also tested the code posted here: https://github.com/mozilla/policy-templates#macos-47

Can someone please help me?

Any update so this?

Tim_Apple
New Contributor III

Unfortunately not

psmac
New Contributor III

Hi @Tim_Apple - I've been playing around with this today and have a working config if it helps you at all.

 

Here's the contents of my Application & Custom Settings -> Upload plist 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>EnterprisePoliciesEnabled</key>
	<true/>
	<key>ExtensionSettings</key>
	<dict>
		<key>*</key>
		<dict>
			<key>blocked_install_message</key>
			<string>Extension blocked by Security Policy. Please contact the Service Desk if you would like to request this extension to be considered for approval.</string>
			<key>installation_mode</key>
			<string>blocked</string>
		</dict>
		<key>{d634138d-c276-4fc8-924b-40a0ea21d284}</key>
		<dict>
			<key>installation_mode</key>
			<string>allowed</string>
		</dict>
	</dict>
</dict>
</plist>

 

The preference domain is org.mozilla.firefox

 

This config will block all extensions by default and allow the install of a single one (1Password in this example).

 

Good luck!

efil4xiN
Contributor II

circling back. I came up with something similar to @psmac . Now if I could figure out how to make this a JSON. where you could create a field to enter this , i'd be golden

<key>{d634138d-c276-4fc8-924b-40a0ea21d284}</key>